Ecommerce Payments at a Glance
Online, three choices set your costs: the gateway, the integration, and which payment methods you offer. We start with cost because it shapes every other choice. Most stores should begin with a flat-rate gateway and hosted checkout.
Hosted checkout keeps you in the simplest PCI tier and deploys in hours. Add Apple Pay and Google Pay at no extra cost, keep PayPal for trust, and only build your own card form when you have a real reason to.
| If you… | Best-fit setup | Typical 2026 cost |
|---|---|---|
| Are starting out or under ~£75k/yr in cards | Flat-rate gateway, hosted checkout (SAQ A) | 1.4%–2.0% + 20–25p, £0 monthly (Shopify plan aside) |
| Run on Shopify or WooCommerce | Native payments + wallet buttons | Plan rate from 1.5%; wallets at no surcharge |
| Process above ~£75k/yr in cards | Negotiated Interchange++ acquirer | Interchange + ~0.3% + small fixed fee |
| Want the lowest scheme cost | Open banking “Pay by Bank” | Around 0.7%, no per-transaction cap |
Flat-rate UK online card fees in 2026 sit around 1.4%–2.0% plus a 20–25p fixed fee, with international cards adding a surcharge. Figures verified May 2026 against provider pricing pages.
Main Ways to Take Payments Online
How you take payment online splits two ways: the card route (hosted checkout, embedded form, or full API) and the methods you add alongside cards. The route sets your PCI work; the methods set your conversion.
| Route or method | Fits the store that… | Main drawback |
|---|---|---|
| Hosted checkout / payment links | Wants minimal PCI work and a fast launch | Customer is redirected; slight visual friction |
| Embedded form (fields on your page) | Wants a seamless on-brand checkout | Larger PCI scope (SAQ A-EP); Magecart exposure |
| Full API integration | Is enterprise and needs total control | Months of work and SAQ D unless tokenised |
| Wallets, open banking, BNPL | Wants higher conversion and order value | BNPL fees are premium; open-banking refunds differ |
Adoption is shifting fast. Around 30% of UK shoppers still prefer PayPal, BNPL is roughly 7% of UK ecommerce, and open banking “Pay by Bank” can cost as little as 0.7% with no fixed cap.
How Online Card Payment Processing Works
An online card sale is “card-not-present”, so it moves through the same three steps as any card payment — authorise, clear, settle — plus an identity check the customer never sees on a card machine.
Authorisation happens in seconds. Your gateway asks the buyer’s bank (the issuer) whether the funds exist and the card is genuine. This is where 3D Secure 2 runs, scoring the transaction and, if needed, asking for a biometric or app confirmation.
Clearing reconciles the day’s approved sales between the schemes (Visa, Mastercard), the issuer and your provider. Settlement then moves the money, minus fees, into your account. Stripe pays in 1–3 days; Worldpay next business day; GoCardless Bacs takes 3–5.
What Accepting Online Payments Costs
Headline rates hide the real cost. Work out your effective rate: total fees divided by total takings, including the fixed fee and any FX margin. On a £5 sale, a 20p fixed fee alone is 4% — before the percentage. We see this catch out stores selling cheap add-ons.
| Provider | Standard UK rate | Non-EEA / int’l | Monthly | Payout |
|---|---|---|---|---|
| Stripe | 1.5% + 20p | 3.25% + 2% FX | £0 | 1–3 days (instant 1%) |
| Square Online | 1.4% + 25p | 2.5% + 25p | £0 | 1–2 days |
| PayPal | 1.49%–3.49% + ~30p | +1.29%–1.99%, 3% FX | £0 | 1–3 days |
| Shopify Payments | 2.0%/1.7%/1.5% + 25p by plan | +2% | Plan fee | 3+ days |
| Mollie | 1.2% + 20p | 2.9%–3.25% + 20p | £0 | Daily |
| Worldpay | 1.3%–1.5% + 20p | up to 2.9% + 20p | £19.95 | Next day |
| Adyen | Interchange + 0.3% + £0.13 | Same model | £0 (min invoice) | Configurable |
| GoCardless (DD) | 1% + 20p (cap £4) | 2% + 20p | £0 | 3–5 days |
Flat-rate gateways win at low volume: no monthly fee, no minimum, and simple reconciliation. A store taking £4,000 a month in cards on Stripe at 1.5% + 20p pays roughly £60 plus pennies per order.
Two costs catch growing stores out. Cross-border FX is one — Stripe adds 2% on its 3.25% international rate, PayPal a 3% margin. Subscription tooling is the other: Stripe Billing adds about 0.5%–0.7% on top of the card rate.
Model your own mix before committing. Verified May 2026.
How to Set Up Online Payments
Setting up is a short sequence, and the order matters. We’d pick the integration that keeps your PCI scope small first, then layer on the methods that lift conversion.
1. Choose your integration. Hosted checkout or payment links for most stores — live in hours, PCI SAQ A. A full API build means months of engineering and SAQ D unless you tokenise.
2. Open the account and pass KYC. Have your company or sole-trader details, bank account and ID ready. Platforms like Shopify and WooCommerce wire their native gateway in a few clicks.
3. Turn on wallets and APMs. Enable Apple Pay and Google Pay (no surcharge, strong uplift), keep PayPal, and consider open banking or BNPL where your basket sizes justify it.
4. Configure SCA, then test. Switch on 3D Secure 2 with exemptions enabled, run a live transaction and a refund through each method, and confirm the payout lands when promised.
Strong Customer Authentication and PCI DSS for Online Sellers
Two rules shape every online checkout: Strong Customer Authentication (SCA) under PSD2, and PCI DSS. SCA decides how the customer proves who they are; PCI decides how much security work falls on you.
SCA is delivered through 3D Secure 2, which scores each payment and either waves it through (frictionless) or asks for a biometric or app confirmation (challenge). A passed challenge shifts fraud liability from you to the issuing bank, and 3DS cuts card-not-present fraud by around 70%.
Forcing every payment into a challenge wrecks conversion, so claim the exemptions: low-value (under about £25), Transaction Risk Analysis below issuer fraud thresholds, and merchant-initiated transactions for recurring charges after the first authenticated one.
PCI scope follows your integration. Hosted checkout is SAQ A — the simplest attestation. A form you host that posts to the gateway is SAQ A-EP. Card data through your own servers is SAQ D, the heaviest audit. Network tokenisation can pull that scope back down.
Common Mistakes to Avoid
The costly errors we see online are structural, not careless. These five quietly drain margin, conversion or compliance — and each is avoidable once you know to look.
Five mistakes that cost online sellers money
- Ignoring the effective rate. Judging a gateway on its headline % and forgetting the fixed fee and FX margin. On a £5 sale, 20p alone is 4%. Always divide total fees by total takings.
- Forcing every payment into a 3DS2 challenge. Skipping exemption logic adds needless friction and drives cart abandonment. Enable low-value, TRA and MIT exemptions.
- Not offering wallets. No Apple Pay or Google Pay on mobile leaves conversion on the table for zero surcharge.
- Inflating PCI scope. Storing raw card numbers on your server pushes you from a simple SAQ A to the punishing SAQ D audit. Use provider tokens instead.
- Booking net payouts as turnover. Gateways pay out after fees, but you must report gross. Net booking understates your income against the £90,000 VAT and £50,000 MTD thresholds.
When to Compare Payment Providers
You don’t need to re-tender constantly — only when something changes. We’d revisit your gateway at three moments.
First, when annual card turnover nears £75,000, where a negotiated Interchange++ rate starts to beat a flat rate. UK debit interchange is capped at 0.2%, so a 0.3% acquirer margin can mean paying nearer 0.5% than 1.5%.
Second, when international sales grow and FX margins bite. Third, when your checkout data shows a wallet or open-banking gap. We’d let those signals, not the calendar, trigger the review.
For provider-by-provider numbers, see our individual gateway reviews and payment processing roundups rather than choosing on a headline rate alone.
Frequently Asked Questions
Which PCI SAQ applies if I use hosted checkout?
Hosted checkout, payment links and full-page redirects qualify for SAQ A — the simplest self-assessment questionnaire, because the card data never touches your servers. If you host the payment form yourself and post it to the gateway, you move up to SAQ A-EP; if card data passes through your own systems, the heavier SAQ D applies. Network tokenisation can pull an API integration’s scope back toward SAQ A.
Do Apple Pay and Google Pay cost more than card payments?
No. Digital wallets process at your gateway’s standard card rate with no premium surcharge, because under the bonnet they are tokenised cards. They also tend to lift checkout conversion — UK Shopify data points to roughly a 22% uplift versus manual card entry — so they are close to free conversion. Enable them on mobile in particular.
Is Strong Customer Authentication required on every payment?
No. SCA via 3D Secure 2 is the default for UK card payments, but several exemptions let low-risk payments through without a challenge: low-value transactions under about £25, Transaction Risk Analysis where your provider’s fraud rate is low, and merchant-initiated transactions for recurring charges after the first authenticated payment. Coding these exemptions is what keeps conversion high.
How do I report revenue when the gateway pays me net of fees?
Record your gross sales — the full amount the customer paid — as turnover, and claim the processing fees separately as an allowable expense. Don’t book the net bank deposit as your revenue: that understates your turnover against the £90,000 VAT threshold and the £50,000 MTD for Income Tax threshold, and it loses you the VAT recovery on the fees. Your gateway statements reconcile gross sales, fees and payouts.
What does a chargeback cost, and can I win the dispute?
Stripe and Worldpay charge a £20 fee per dispute, and the funds are pulled immediately. Winning is hard: merchants succeed on only around 17% of fraud-coded chargebacks, and “friendly fraud” — genuine cardholders disputing real purchases — now drives 70%–80% of them. The better defence is prevention: 3D Secure 2 shifts liability to the issuer on authenticated payments and cuts card-not-present fraud by around 70%.
How We Researched This Guide
How we researched this guide
Sources. Fee, FX and settlement figures come from current provider pricing pages; fraud and chargeback data from UK Finance; VAT and MTD thresholds from GOV.UK and HMRC; PCI scope and SAQ detail from the PCI Security Standards Council.
Open and forward-looking items. We flag rather than assert things still in flux: BNPL comes under FCA regulation from mid-2026, and the EU’s €150 import VAT de minimis is set to be phased out from 1 July 2026. The ~£75,000 tipping point is indicative, not a hard line.
Verification date. Fees, thresholds and rules were verified in May 2026. Provider pricing and HMRC thresholds change — confirm current figures directly before acting. Cited rates represent typical 2026 market levels.
Affiliate disclosure. Some links on our payment processing pages are affiliate links. This guide is editorial content and our recommendations are not influenced by commercial relationships. See our editorial policy for details.